Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard

[Ran Canetti <canetti@watson.ibm.com>]

Tero Kivinen writes:
> The nonce must NOT be truncated in the encryption, because if only
> part of the nonce is encrypted and trasmitted then the authentication
> hashes doesn't match. Both ends need to generate nonces that is
> suitable for encryption for the public key of the remote end. 

Ofcourse, if the nonce is truncated, the sender has to notify the recipient 
of this fact. (Alternatively the parties have to decide in advance on the 
the appropriate size of the nonce.) I agree that a comment to this effect
should be added to the IKE  document.
 
> I don't think this issues is a problem in the original rsa encryption
> mode. Most of the time the ID will be just 64 bits (IPV4 address),
> that can be encrypted using almost any key. For IPV6 the ID length is
> 160 bits and that also doesn't cause any problems. If the ID is
> ID_FQDN, ID_USER_FQDN, or ID_DER_ASN1_{DN,GN}, and the ID is too long,
> then we just don't use RSA encryption mode. 

I agree that today the problem will probably occur quite rarely. 
(I suspect that IDs will get longer pretty fast, but that's a different
issue.) Anyway, why not use the revised mode, where the problem NEVER appears?
(Is it really that much more complicated to implement, given all the rest?
I find it surprising...)


Ran

---

• Prev by Date: Re: Last Call for IPSEC
• Next by Date: Re: Radius authentication and client configuration
• Prev by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• Next by thread: Re: Last Call: Security Architecture for the Internet Protocol to Proposed Standard
• Index(es):
  • Main
  • Thread